Ajax Post to Url, an insecure way to post data?

Discussion and feedback on Construct 2

Post » Tue Jun 04, 2013 5:41 am

Hi guys,

Hope you all are doing great.

I know that probably this is not the first time you receive a comment/question like this but unfortunately I was not able to find an answer surfing the web.

As you know, when you send a Ajax Post to a file the data being sent is easily traceable if you use a browser third party plugin; in order to check the functioning in some web applications I use Firebug which is the one that works better for me since it helps me a lot to identify problems in jquery plugins, php inserts and similar, so in php Im able to add security features to my code in order to avoid code injection etc (Im not even close to be a genius programmer but know the basics in several programming languages, pretty basic stuff), so after uploading one of my games for testing purposes I noticed that my inserts to the database were really insecure.

The thing is that every time my html5 game made with C2 sends a post to my php file so I can make an insert to the DB, the post is easily read in Firebug so if I copy the post url (lets say http://www.mysite.com?score=5) and execute the post again directly from my browser the post is performed again. I know I can work with sessions to increase security, require login data to know my users, set cookies etc but at the end the post will work. My concern is lets say I make a game for a company that will give any kind of prize or incentive to the users with higher scores suddenly a mid experienced programmer will be able to review the destiny of my post and simply manipulate the post from the browser and pass whatever information on a simply url (http://www.mysite.com?score=5000 or http://www.mysite.com?score=5000&var1=yoursystemstinks) its just a matter of analyzing with Firebug the content of the post and then modify the string or variables being transmitted by ajax.

I really do not want to seem dramatic, its just that Construct 2 is too good to be true and I really hope that any of you can give me some tips to increase the security of the Ajax post sent from games made with this wonderful software. Is there any way to avoid the full post url from being readable during the Ajax transmission? Any of you guys know any extra security that can be added or probably another way to send scores to a database without using the Ajax object? I know many options that could make the trick but believe me I have been running in circles, I tried to convert the c2runtime.js file to c2runtime.php and then put some hashes inside the code in order to encode it (yes later on you need to use php headers to add the js functionality to the file again), did not work. I also tried using md5 encryption to generate a key randomly and then compare it when the post reaches my php file but did not work either, at the end if you pass the md5 encoded data as it is through the browser the php file will recognize it as good due to obvious reasons, so this is not an option (lesson learned the hard way).

I will really appreciate your advice guys, this is a software used even by Microsoft so I know that any of you will have a proper answer, as I told you Im not a code guru nor a smart**s, Im just really excited with all the possibilities you get with C2, I also know tha Ajax is not the most secure option and thats not C2s fault, its just the way it is, but I know this place has brilliant minds and the best thing is that they are not selfish at all at the moment of sharing the knowledge.

Thanks again.

Posts: 23
Reputation: 821

Post » Tue Jun 04, 2013 9:08 am

I think that to post and get datas, the domain must be the same, I can mistake though
Game design is all about decomposing the core of your game so it becomes simple instructions.
Posts: 2,106
Reputation: 16,436

Post » Tue Jun 04, 2013 10:08 am

Correct, its is 100% unsafe. You have to encode all your data.
Image ImageImage
Posts: 7,964
Reputation: 92,394

Post » Tue Jun 04, 2013 11:32 am

Kyatric's plugin is the only way i know of to make your ajax post's more or less secure.

Your server should be sure that your post (and its parameters) came from your application, and from nowhere else.

The only "secure" way to do this is HMAC (http://en.wikipedia.org/wiki/Hash-based_message_authentication_code). Sounds complex, but basically very simple.

Your application signs request parameters with standard parameters and sends a hash (aka message digest). Hash to compute the parameters themselves + a shared secret key (it is very important that the key is not public, and known to both sides who want to safely talk, but no one else).

So if you're using php on your server, you should call savescores.php (preferably POST request) and post some data like:

- Name
- Score
- Hash

variables. Hash should be generated before posting (in php code):

$ Str_params = $ name. ''. $ Score;
$ Hash = hash_hmac ('sha1', $ str_params, SHARED_SECRET_KEY);

(Only would you have to do it in JavaScript, that's where kyatric's plugin comes into play)

PHP then gets all the POST parameters (each variable separately + hash), and has at its (the server) side to make verification hash (digest).

Server side doing so generates hash (digest) in the same way as the client (with the received variables).

And, if the received hash generated hash is equal that means that the parameters sent to the application came from your client (because they signed the same secret key which is known only the application and server).

If the hash is not identical, that means that someone is trying to cheat (or extremely, that you didn't generated the hashes in a correct way)

Now, the problem is how to get the SHARED_SECRET_KEY to the client?

You should think of an ability to send a key to the client without anybody knowledge. (Because if you use Ajax, then again, everyone can read it) - namely, how to pass to c2runtime a SHARED_SECRET_KEY, and that no one else knows? Server it should not send Client, otherwise the whole thing falls apart!

Take this whole post with a grain of salt, i'm sure there are better ways to do this, but i don't know them!
Be nice until it's time to not be nice
Posts: 293
Reputation: 6,662

Post » Tue Jun 04, 2013 12:21 pm

Web security is hard, especially in Javascript where all the code is locally viewable. However the size of Construct 2's engine actually works to something of an advantage here: it's so big, and all obfuscated by Closure Compiler, that it can actually be quite a lot of work just to find out where the relevant code for posting a score will be.

The most important thing IMO is not to have a single URL where you post a score, i.e. http://game.com/submit.php?score=5. That's trivially controllable. You should make it more complicated than that, e.g. introduce a back-and-forth (so there are multiple posts with other processing/logic steps in between). Then at least the bar is raised from being able to find or emulate the javascript logic running that rather than being able to enter a single URL. Then there are some cheap tricks you can throw in like appending the URL from individual characters so the URL isn't directly viewable in the source. Combine that with some other ideas in this thread and you should be able to make it script-kiddy proof, but I still wouldn't pretend it's actually secure, it's just obscure. If you put a prize on a highscore, even with these methods the prize would probably provide enough motivation for someone to crack it. You should avoid giving prizes for highscores, unless you require substantial proof like a complete playthrough video, which would be a pain.
Scirra Founder
Posts: 23,871
Reputation: 188,157

Post » Wed Jun 05, 2013 7:37 am

Thank you very much guys for your comments and ideas, you are the reason why I say that this is a wonderful community.

Will read carefully your suggestions and will check step by step Kyatric's plug in. Once again thanks a lot for replying to my post with such dedication, really appreciate it pals.

Posts: 23
Reputation: 821

Return to Construct 2 General

Who is online

Users browsing this forum: Exabot [Bot], jsydik and 7 guests